PT-2026-58098 · Roundcube · Webmail

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-62644

CVSS v3.1

6.4

Medium

VectorAV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-62644

Affected Products

Webmail